Retire 192.30.252.15{3,4} in favor of new octet

lib/github-pages-health-check/caa.rb

@@ -36,16 +36,19 @@ def records
       private
 
       def get_caa_records(domain)
+        query(domain).select { |r| r.type == "CAA" && r.property_tag == "issue" }
+      end
+
+      def query(domain)
         resolver = Dnsruby::Resolver.new
         resolver.retry_times = 2
         resolver.query_timeout = 2
-        nspack = begin
-          resolver.query(domain, "CAA", "IN")
+        begin
+          resolver.query(domain, "CAA", "IN").answer
         rescue StandardError => e
           @error = e
-          return []
+          []
         end
-        nspack.answer.select { |r| r.type == "CAA" && r.property_tag == "issue" }
       end
     end
   end

lib/github-pages-health-check/domain.rb

@@ -5,6 +5,11 @@ module HealthCheck
     class Domain < Checkable
       attr_reader :host
 
+      GITHUB_DATACENTER_ADDRESSES = %w(
+        192.30.252.153
+        192.30.252.154
+      ).freeze
+
       LEGACY_IP_ADDRESSES = [
         # Legacy GitHub Datacenter
         "207.97.227.245",
@@ -63,12 +68,16 @@ class Domain < Checkable
         "43.249.72.133",
         "43.249.73.133",
         "43.249.74.133",
-        "43.249.75.133"
+        "43.249.75.133",
+
+        *GITHUB_DATACENTER_ADDRESSES
       ].freeze
 
       CURRENT_IP_ADDRESSES = %w(
-        192.30.252.153
-        192.30.252.154
+        185.199.108.153
+        185.199.109.153
+        185.199.110.153
+        185.199.111.153
       ).freeze
 
       HASH_METHODS = %i[
@@ -330,7 +339,8 @@ def enforces_https?
 
       # Can an HTTPS certificate be issued for this domain?
       def https_eligible?
-        (cname_to_github_user_domain? || fastly_ip?) && caa.lets_encrypt_allowed?
+        (cname_to_github_user_domain? || pointed_to_github_pages_ip?) &&
+          caa.lets_encrypt_allowed?
       end
 
       # Any errors querying CAA records

script/fmt

@@ -0,0 +1,5 @@
+#!/bin/bash
+#/ Usage: script/fmt [args]
+#/ Runs rubocop with the given arguments.
+
+bundle exec rubocop -D -S $@

script/test

@@ -3,4 +3,4 @@
 set -e
 
 bundle exec rspec $@
-bundle exec rubocop -D -S $@
+script/fmt $@

spec/github_pages_health_check/caa_spec.rb

@@ -14,8 +14,8 @@
 
   context "a domain without CAA records" do
     before(:each) do
-      expect(subject).to receive(:get_caa_records).with(domain).and_return([])
-      expect(subject).to receive(:get_caa_records).with("githubtest.com").and_return([])
+      expect(subject).to receive(:query).with(domain).and_return([])
+      expect(subject).to receive(:query).with("githubtest.com").and_return([])
     end
 
     it "knows no records exist" do
@@ -33,8 +33,8 @@
 
   context "a domain with LE CAA record" do
     before(:each) do
-      expect(subject).to receive(:get_caa_records).with(domain).and_return([])
-      expect(subject).to receive(:get_caa_records)
+      expect(subject).to receive(:query).with(domain).and_return([])
+      expect(subject).to receive(:query)
         .with("githubtest.com").and_return([caa_packet_le])
     end
 
@@ -53,9 +53,8 @@
 
   context "a domain without LE CAA record" do
     before(:each) do
-      expect(subject).to receive(:get_caa_records)
-        .with(domain).and_return([caa_packet_other])
-      expect(subject).to receive(:get_caa_records).with("githubtest.com").and_return([])
+      expect(subject).to receive(:query).with(domain).and_return([caa_packet_other])
+      expect(subject).to receive(:query).with("githubtest.com").and_return([])
     end
 
     it "knows records exist" do
@@ -73,8 +72,8 @@
 
   context "a domain which errors" do
     before(:each) do
-      expect(subject).to receive(:get_caa_records).with(domain).and_return([])
-      expect(subject).to receive(:get_caa_records).with("githubtest.com").and_return([])
+      expect(subject).to receive(:query).with(domain).and_return([])
+      expect(subject).to receive(:query).with("githubtest.com").and_return([])
       subject.instance_variable_set(:@error, Dnsruby::ServFail.new)
     end
 

spec/github_pages_health_check/domain_spec.rb

@@ -16,6 +16,10 @@
   let(:a_packet) do
     Dnsruby::RR.create("#{domain}. 1000 IN A #{ip}")
   end
+  let(:caa_domain) { "" }
+  let(:caa_packet) do
+    Dnsruby::RR.create("#{domain}. 1000 IN CAA 0 issue #{caa_domain.inspect}")
+  end
 
   context "constructor" do
     it "can handle bare domains" do
@@ -97,7 +101,7 @@
     before(:each) { allow(subject).to receive(:dns) { [a_packet] } }
 
     context "old IP addresses" do
-      %w(204.232.175.78 207.97.227.245).each do |ip_address|
+      %w(204.232.175.78 207.97.227.245 192.30.252.153 192.30.252.154).each do |ip_address|
         context ip_address do
           let(:ip) { ip_address }
 
@@ -366,7 +370,7 @@
     context "apex domains" do
       context "pointed to Pages IP" do
         let(:domain) { "fontawesome.io" }
-        let(:ip) { "192.30.252.153" }
+        let(:ip) { "185.199.108.153" }
         before(:each) { allow(subject).to receive(:dns) { [a_packet] } }
 
         it "Knows it's a Pages IP" do
@@ -560,7 +564,7 @@
       end
 
       context "a pages IP" do
-        let(:ip) { "192.30.252.153" }
+        let(:ip) { "185.199.108.153" }
 
         it "knows a site pointed to a Pages IP isn't proxied" do
           expect(subject).to_not be_proxied
@@ -788,4 +792,76 @@
       end
     end
   end
+
+  context "https eligibility" do
+    context "A records pointed to old IPs" do
+      let(:ip) { "192.30.252.153" }
+      before(:each) { allow(subject).to receive(:dns) { [a_packet] } }
+
+      it { is_expected.not_to be_https_eligible }
+    end
+
+    context "A records pointed to new IPs" do
+      let(:ip) { "185.199.108.153" }
+      before(:each) { allow(subject).to receive(:dns) { [a_packet] } }
+
+      it { is_expected.to be_https_eligible }
+
+      context "with bad CAA records" do
+        let(:caa_domain) { "digicert.com" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.not_to be_https_eligible }
+      end
+
+      context "with good CAA records" do
+        let(:caa_domain) { "letsencrypt.org" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.to be_https_eligible }
+      end
+    end
+
+    context "CNAME record pointed to username" do
+      let(:cname) { "foobar.github.io" }
+      before(:each) { allow(subject).to receive(:dns) { [cname_packet] } }
+
+      it { is_expected.to be_https_eligible }
+
+      context "with bad CAA records" do
+        let(:caa_domain) { "digicert.com" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.not_to be_https_eligible }
+      end
+
+      context "with good CAA records" do
+        let(:caa_domain) { "letsencrypt.org" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.to be_https_eligible }
+      end
+    end
+
+    context "CNAME record pointed elsewhere" do
+      let(:cname) { "jinglebells.com" }
+      before(:each) { allow(subject).to receive(:dns) { [cname_packet] } }
+
+      it { is_expected.not_to be_https_eligible }
+
+      context "with bad CAA records" do
+        let(:caa_domain) { "digicert.com" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.not_to be_https_eligible }
+      end
+
+      context "with good CAA records" do
+        let(:caa_domain) { "letsencrypt.org" }
+        before(:each) { allow(subject.send(:caa)).to receive(:query) { [caa_packet] } }
+
+        it { is_expected.not_to be_https_eligible }
+      end
+    end
+  end
 end